Magniber shellcode is embedded inside the .Net DLL and the purpose of the shellcode is to inject the Magniber shellcode into multiple currently running processes. Figure 3 shows the code routine through which the Magniber shellcode injects the shellcode into a normal running process. As a result of the code routine shown in Figure 3, a normal process that is running in the user system behaves as ransomware.
V3 products detect and block latest Magniber variants using Malicious Script Detection (AMSI) and Process Memory Scan.
Currently, AhnLab is responding to the Magniber ransomware with not only file detection but also using various detection methods. Thus, it is recommended that users should select Enable Process Memory Scan and Use Malicious Script Detection (AMSI) options in [V3 Settings] – [Scan Settings].
– f75c520810b136867a66b1c24f610a5b (Ransomware/JS.Magniber.S1915 (2022.09.15.03))
[Process Memory Scan]
– Ransomware/Win.Magniber.XM153 (2022.09.15.03)
[MD5 (Detection Name)] – AMSI Detection (.NET DLL)
– e59d7d6db1fcc8dfa57c244ebffc6de7 (Ransomware/Win.Magniber.R519329 (2022.09.15.02))
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.